Add the scripted IPMASQADM example to the Forwarders section. Also confirm
the syntax.

Add a little section on having multiple subnets behind a MASQ server

Confirm the IPCHAINS ruleset and make sure it is consistant with the IPFWADM
ruleset

TO DO - WWW page:

Update the PPTP patch on the masq site

Update the portfw FTP patch

Changes from 05/22/05 to 11/13/05

11/13/05 - Fix a bug where the PORTFW example rule in section 6.7 was
incorrect. Updated the IPTABLES PORTFW section to include state tracking
for the pre-routing rule, added a cross-reference to the PORTFW FAQ entry,
and reduced some duplicate PORTFW examples in different chapters of the HOWTO.
Thanks to Thomas Zajic for bringing this to my attention.

10/23/05 - Updated the dynamic IP FAQ section to give complete examples
on how to re-run the rc.firewall-* scripts for various different DHCP clients

10/19/05 - Updated the HOWTO to be very clear on loading the various
rc.firewall-* rulesets (there are 6 of them in this HOWTO both simple and
stronger versions for IPTABLES, IPCHAINS, and IPFWADM) files vs. loading a
generic rc.firewall file. I also updated the troubleshooting section to
reflect this possibly confusing point.

05/22/05 - Updated the rc.firewall-iptables-stronger ruleset to 0.87s.
Removed the unused drop-and-logit chain as it was only later being deleted
anyway. Thanks to Matthew Concannon for this one.

05/21/05 - Updated the Multiple-IPs FAQ entry a bit

Changes from 04/17/05 to 05/03/05

05/03/05 - Updated the rc.firewall-iptables-stronger ruleset to fix a typo

Changes from 03/19/04 to 04/17/05

04/30/05 - Updated the IP address for unc.metalab.org and published the
HOWTO to the web.

12/18/04 - Added some comments in the IPTABLES, IPCHAINS, and IPFWADM
rulesets why the default policy is ACCEPT and not something like DROP.

07/24/04: Renamed the rc.firewall-2.4/2.2/2.0-* rulesets to
rc.firewall-iptables/ipchains/ipfwadm-*. This change better reflects that
these rulesets can run on different kernel versions (such as 2.6.x). Updated
the rc.firewall-iptables-stronger ruleset to 0.85s to fix an improper /24
netmask for the INTIP variable.

04/10/04: Updated the rc.firewall-2.4-stronger ruleset to use the 192.16.0.x
network instead of 192.168.1.x network to better align with the rest of the
HOWTO

01/10/04: Updated the rc.firewall-2.4-stronger and 2.2 rulesets to make
placement of PORTFW configs more obvious

01/01/04: Some systems require that the /etc/rc.d/init.d/firewall-2.* files
be executable. Fixed. Thanks to Chris Carter and others for the nudge.

01/01/04: Some systems require that the /etc/rc.d/init.d/firewall-2.* files
be executable. Fixed. Thanks to Chris Carter and others for the nudge.

01/01/04: Added an additional chkconfig check on Redhat systems to make sure
that the firewall will load upon init level change. Thanks to Chris Carter
for the idea.

12/19/03: Updated the rc.firewall-2.4-stronger ruleset to 0.82. This
new ruleset has a special ICMP filter to work around a Netfilter bug.
Also, the drop-and-log-it chain has been renamed to reject-and-log-it
since that's actually what it's doing. Thanks to Bart Martens for the
recommendations.

11/30/03: Updated the rc.firewall-2.4-stronger ruleset to 0.81s, the
rc-firewall-2.2-stronger ruleset to 0.72s, and updated the
rc.firewall-2.0-stronger ruleset to 0.72s (never had a version # before).
These changes reflect either the ruleset not having strong enough comments
or allowing all traffic destined to the MASQ server itself from being
protected. It's recommend that if you want to enable access to servers running
on the MASQ server itself (http, ssh, etc.), selectively enable them under the
OPTIONAL INPUT section.

11/03/03: Updated the rc.firewall-2.2-stronger ruleset where an INTLAN rule
that was allowing traffic from ANY IP address instead of the proper INTIP IP
address only. This aligns the IPCHAINS ruleset with the IPTABLES and IPFWADM
ruleset examples

11/10/03: Deleted all kernelnotes.org URLS (juanjox URLs)

Changes from 06/22/03 to 11/09/03

10/25/03: Fixed a dead RFC1918 URL in section 3.3. Thanks to Mark Sobell for the report.

07/07/03: Added the "reducing-masq-log" FAQ entry to help people reduce the
size of their firewall logs.

06/27/03: Updated the rc.firewall-2.4-stronger ruleset to 0.80s. Added a
DISABLED ip_nat_irc kernel module section, changed the default of the
ip_conntrack_irc to NOT load by default, and added additional kernel module
comments.

06/22/03: Updated the various Indyramp MASQ email URLs again as things seemed
to have changed. Again.

06/21/03: Rewrote the MTU FAQ section to be more clear, include specific
information of the problems, and also fixed a bad typo for PPPoE users who
were trying to configure "--clamp-mss-to-mtu" when it should have been
"--clamp-mss-to-pmtu" (missing the p in pmtu).

06/13/03: Added kernel info for Mandrake 8.1

06/02/03: Fixed a typo where extended 2.2.x kernel checks for IPMASQ
functionality was using "cat" and not "ls"

05/25/03: Fixed a SGML script that was improperly converting ampersands
for the downloadable firewall-* and rc.firewall-* scripts. Also caught a
SGML ampersand bug in a comment section of the rc.firewall-2.0 file

05/25/03: Lots of little updates like:: updated the Intro section verbage a
little to reflect BETA kernels and not OLD kernels; Updated the Forward
section (not PORTFW) to be a little more generic; Added a link in the Forward
to the IPMASQ email list; Updated the dates in the copyright notice;

05/24/03: Updated the "Current Status" to add the remark that some
programs have been updated to use NAT-friendly protocols and thus special
NAT modules are no longer required

05/24/03: Updated the Compiling Linux 2.2.x / 2.0.x section: Deleted the
recommendations to load the rc.firewall ruleset via rc.local. This should
come later in the HOWTO and offer other methods for different Linux
distributions

05/24/03: Updated the ICQ Application section to say that these steps are
/not/ required for modern ICQ clients. I've left this section in the HOWTO
to demonstrate a large PORTFW example

05/24/03: Made some of the FAQ entries more kernel version generic and also
deleted the 2.0.x "upgrades-cont.html" FAQ entry as it was basically a
duplicate

05/24/03: Updated the LooseUDP game section to explain how it works,
explain how much of this was properly solved under the stateful IPTABLES
systtem, and also say that it is NOT available for the 2.4.x kernels.
If IPTABLES's stateful UDP tracking doesn't work for, you're probably out
of luck.

05/24/03: Mentioned in the FAQ section that MASQ timers are NOT adjustable
under IPTABLES

04/11/03: Fixed a incorrect echo statement saying the IPTABLES policy was
being set to REJECT and not DROP.

Changes from 01/31/03 to 04/08/03

04/08/03: Added additional formatting and the "ip_masquerade" /proc entry
into Section 3.2. This helps users determine if their kernel is MASQ-ready.

03/08/03: Added the EXTIP variable to the 2.4.x PORTFW example as several
people were trying to use this with the BASIC ruleset and I had assumed they
were using the STRONGER ruleset. Thanks to Greg Lukins for bringing this
to my attention.

01/31/03: Doh. I should have read my own comments. I've reversed the
2.4.x. policy settings from REJECT back to DROP. REJECT, for some lame
reason, is not a legal policy. The recommended REJECT action is still
carried out via the "drop-and-log-it" user chain.

01/30/03: Updated the Multiple-IPs FAQ entry to better describe how users
that want to put external IPs behind a Linux router. Added additional URLs
and cleaned up the text a bit too.

01/30/03: Updated the 2.4.x requirement section to reflect more of the pros
of IPTABLES as well as updated the update status of some old legacy 2.2.x
modules

01/30/03: Added an additional FAQ entry that clearly explains what the
ipchains.o module can and CANNOT do on 2.4.x. kernels

01/28/03: Extensively updated the 2.4.x kernel compilation section to reflect
a 2.4.20 kernel with IPTABLES 1.2.7a. The section also reflects the new
methods to compile IPTABLES, apply Patch-O-Matic patches, and also included
lots of example output too.

01/28/03: Updated the kernel compiling section to be a little more clear on how
different Linux distros can have different kernels (modules vs. monolithic)

01/17/03: Fixed a major issue where the rc.firewall-2.2-stronger ruleset
was referencing missing executable variables. This was taken from the
2.4-stronger ruleset but I guess I forgot to finish it off. Fixed.
Thanks to Samuel Kim for catching this!

01/17/03: Fixed an issue where the rc.firewall-2.2-stronger's commented
HTTP section was missing the "-p tcp" option.
Thanks to Samuel Kim for catching this!

01/16/03: Updated the URL for DJSF's ICQ module

01/16/03: Changed the default policy and drop chain from DENY to REJECT
on both IPTABLES rulesets and on the advanced IPFWADM rulset.
Thanks to Jonathan Hutchins for bringing this to my attention.

01/16/03: Fixed a typo in the commented out HTTPd OUTPUT section of the
rc.firewall-2.2-s ruleset

01/13/03: Updated the IPMASQ www site URL from ipmasq.cjb.net to
ipmasq.webhop.net. CJB started to change their policies so we switched.

01/13/03: Added to the 2.4.x Requirements section that IPTABLES v1.2.7a is
out and recommended.

01/13/03: Added an additional test item to the "Test Section - Section 5" for
versions of IPTABLES that are too old. I also cleaned up this section to read
easier.

01/13/03: Updated the rc.firewall-2.4-stronger ruleset to include commented
rules to allow in HTTP traffic to a local HTTP server. Also added a rule
comment in the FORWARD section to help users know where to put PORTFW commands.

01/13/03: Updated the rc.firewall-2.2-stronger ruleset to include commented
rules to allow in HTTP traffic to a local HTTP server. Also added a rule
comment in the FORWARD section to help users know where to put PORTFW commands.

01/13/03: Clarified the PORTFW section to help users better understand where
the PORTFW commands should go in the rc.firewall rulesets. I also cleaned up
this section to read a little better.

Changes from 12/13/02 to 01/12/03

01/03/03: Added Redhat 7.3 and 8.0 to the compatibility chart.

01/03/03: Fixed various typos. Thanks to Gabriel Withington for the sharp
eye.

11/27/02: Fixed the init.d scripts to point the header to the correct config
file. This must be due to newer versions of "chkconfig" doing better checking.
Please note that this might still be a problem for the rc.firewall-2.?-stronger
rulesets. Thanks to Joris Van Puyenbroeck for the heads up.

11/25/02: Updated all the firewall comments to reflect that PPPoE users need to
user the "ppp0" logical interface as their external interface instead of the
physical interface such as "eth0". Thanks to Meng Cheah for the nudge.

11/13/02: Updated the URL for the Donald Becker based NIC drivers. Thanks to
Bruce Gorgon for the heads up.

11/01/02: Added a new FAQ section that covers redirection of local INTERNAL
traffic to internal PORTFWed servers

08/29/02: Fixed a typo in the firewall-2.2 startup script which
was starting the 2.4 firewall and not the 2.2. version.
Thanks to Jean-Marc Vanel for catching this.

08/25/02: Updated the rc.firewall-2.2-stronger and rc.firewall-2.2
scripts to use shell environment variables.

07/09/02: Updated the FTP PORTFW section to be more readible

07/06/02: Replaced all the filewatcher.org URLs with netfilter.org
URLs

06/12/02: Changed some of the formatting to try and help newbies
better understand that the "\" character is used as a continuation
of the previous line.

06/12/02: Updated the IP address of metalab.unc.edu in Section 5.
Thanks to Pete Trachy for bringing this to my attention but please note
that even major sites like Metalab change their IPs, subnets, or even
ISPs from time to time.

06/02/02: Updated the rc.firewall-2.4 ruleset to include a commented
option for NATing IRC DCCs, added the use of more environment vars, and
added additional formatting.

05/18/02: Added some extra # lines the commented section of the the
rc.firewall-2.4-stronger ruleset to better serve Cut and Paste users.

05/04/02: - Updated the various PPTP MASQ links to point to a valid URL.
Also updated the HOWTO to reflect that PPTP is now supported on the 2.4.x
kernels.

05/03/02: - Updated the 2.4.x kernel requirements section to point out
that IPCHAINS compatibility under 2.4.x kernels isn't very good. If you
want to use IPMASQ under a 2.4.x kernel, you should use IPTABLES rules only.

Changes from 01/05/02 to 04/19/02 - v2.00.041902 pubsished to the LDP

04/01/02: - Updated the rc.firewall-2.4-stronger ruleset to denote
and disable internal DHCP server support on the OUTPUT rules

09/16/01: - Cleaned up and updated the PORTFW section to also include
PREROUTING examples for 2.4.x kernels.

09/13/01: - Updated the IPTABLES simple rc.firewall ruleset to 0.62.
This fixed a typo on the MASQ enable line that used eth0
instead of $EXTIF.
Thanks to Hafi for reporting this.

09/07/01: - It seems that most people who are getting IPCHAINS and IPTABLES
conflicts are running Redhat 7.1. I have updated section
5 on how to fix this. Thanks to Jason Wenzel for helping me
with this.

09/07/01: - Noted that IPTABLES v1.2.3 is current version. All versions
less than v1.2.3 have an FTP module bug that can bypass strong
firewall rulesets. Please upgrade your copy of IPTABLES now.

09/07/01: - Created version numbers for the simple rc.firewall rulesets
(IPTABLES - v0.61) (IPCHAINS - v1.01) (IPFWADM - v2.01). and
cleaned up some of the comments in each section.

09/07/01: - Added rules to the simple rc.firewall rulesets to flush the
various tables. In addition to this, I have added the use
of environment variables and more echo statements in the
rulesets to make things easier to edit and monitor.
Thanks to Ian Bishop for the good idea.

09/07/01: - Added the use of EXTIF and INTIF interface variables in each of
the rc.firewall and partial firewall rulesets for better
clarity (similar to how TrinityOS has been doing for a while
now). Thanks to Sean McKeon for the nudge.

09/07/01: - Fixed a typo in the UNIX client configuration section where the
network broadcast was 192.168.0.25 instead of .255.

Changes from 2.01 to 2.05 - 08/26/01

08/19/01: - Added an additional testing step in Section5 to make sure the
rc.firewall file loads ok. Thanks to Steven Levis for the good idea.

08/15/01: - Change the reference for the /etc/hosts file from RFC952 to
RFC1035. Thanks to Michael F. Maggard for the correction.

Changes from 1.96 to 2.01 - 08/12/01

08/12/01: - Updated the basic IPTABLES ruleset to 0.60 which fixed a major
issue where all MASQed packets were being dropped. Ultimately,
I forgot to add a rule to ACCEPT correct packets through the
forwarding chain.

- Added an additional rule to log all bogus FORWARD packets

- Load the FTP nat modules now by default

- Changed the load order of some of the kernel modules to not
create bogus error messages

- Added an IPTABLES section on how to MASQ specific hosts vs. an
entire subnet

- Added more MASQ-client compatible operating systems

07/19/01: - The advanced IPCHAINS example for forwarding between multiple
interfaces was missing the critital "-j ACCEPT" to actually let
the packets flow.
Thanks to Shingo Yamaguchi for catching this.

Changes from 1.96 to 2.00 - 06/10/01

06/21/01: Updated Section 5 (Testing Section) to add an additional test to
help users troubleshoot their MASQ setup. There are now a total
of -11- tests.
06/16/01: Updated the intro History section at the beginning of the HOWTO.
06/14/01: Added mirror Netfilter and IPCHAINs mirror URLs
06/13/01: Updated the H.323 URL

06/10/01:
Double DOH! The simple rc.firewall script for the 2.4 kernels had
two major errors in it. The new version is far more informative
and even works!
I am continuing to go through the HOWTO and cleaning things up
but I'm not done quite yet.

06/02/01:
Updated the lists of known compatible MASQ'ed operating systems
(Windows M3, Linux 2.3, 2.4, etc)
Made more references to DHCP and DNS in the various different MASQ client
configuration guides.

04/12/01:
Thanks to the Joshua X and the other people at Command Prompt, Inc.
for the port of the HOWTO from LinuxDoc to DocBook.
Add email list URL to line 126

Changes from 1.90 to 1.95 - 11/11/00

A BIG thanks to the Joshua X and the other people at Command Prompt, Inc.
for the port of the HOWTO from LinuxDoc to DocBook.

Added a quick upfront notice in the intro that running a SINGLE NIC in MASQ
mutliple ethernet segments is NOT recommended and linked to the relivant FAQ
entry. Thanks to Daniel Chudnov for helping the HOWTO be more clear.

Added a pointer in the Intro section to the FAQ section for users looking for
how MASQ is different from NAT and Proxy services.

Reordered the Kernel requirements sections to be 2.2.x, 2.4.x, 2.0.x

Expanded the kernel testing in Section 3 to see if a given kernel already
supports MASQ or not.

Reversed the order of the displayed simple MASQ ruleset examples (2.2.x and 2.0.x)

Cleaned up some formatting issues in the 2.0.x and 2.2.x rc.firewall files

Noted in the 2.2.x rc.firewall that the defrag option is gone in some distro's
proc (Debian, TurboLinux, etc)

Added a NOTE #3 to the rc.firewall scripts to include instructions for Pump.
Thanks to Ross Johnson for this one.

Cleaned up the simple MASQ ruleset examples for both the 2.2.x and 2.2.x
kernels

Updated the simple and stronger IPCHAINS and IPFWADM rulesets to include the
external interface names (IPCHAINS is -i; IPFWADM is -W) to avoid some internal
traffic MASQing issues.

Vastly expanded the Section 5 (testing) with even more testing steps with added
complete examples of what the output of the testing commands should look like.

Moved the H.323 application documentation from NOT supported to Supported. :-)

Reordered the Multiple LAN section examples (2.2.x then 2.0.x)

Made some additional clarifications to the Multiple LAN examples

Fixed a critical typo with multiple NIC MASQing where the network examples had
the specified networks reversed. Thanks to Matt Goheen for catching this.

Added a little intro to MFW in the PORTFW section.

Reveresed the 2.0.x and 2.2.x sections for PORTFW

Updated the news regarding PORTFWing FTP traffic for 2.2.x kernels

NOTE: At this time, there *IS* a BETA level IP_MASQ_FTP module
for PORT Forwarding FTP connections 2.2.x kernels which also supports
adding additional PORTFW FTP ports on the fly without the requirement
of unloading and reloading the IP_MASQ_FTP module and thus breaking
any existing FTP transfers.

Updated the PORTFW section to also mention that users can use FTP proxy
applications like the one from SuSe to support PORTFWed FTP-like
functionality. Thanks to Stephen Graham for this one.

Updated the example for how to enable PORTFWed FTP to also include required
configurations on how the ip_masq_ftp module is loaded for users who use
multiple PORTs to contact multiple internal FTP servers. Thanks to Bob Britton
for reminding me about this one.

Added a FAQ entry for users who have embedded ^Ms in their rc.firewall
file

Expanded the FAQ entry talking about how MASQ is different from NAT and Proxy
to include some informative URLs.

Updated the explanation of the MASQ MTU issue and described the two main
explanations for the issue.

Clarified that the RFC, PPPoE should only require an MTU of 1492 though some
ISPs require a setting of 1460. Because of this, I have updated the example
to show an MTU of 1492.

Broke out the Windows 9x sections into Win95 and Win98 as they use different
settings (DWORD vs. STRING). I also updated the sections to be clearer and the
Registry backup methods have been updated.

Fixed an issue where the WinNT entry should have been a DWORD and not a
STRING.

A serious thanks goes out to Geoff Mottram for his various PPPoE and various
Windows Registry entry fixes.

Added an explict URL for Oident in the IRC FAQ entry

Updated the FAQ section regarding some broken "netstat" versions

Added new FAQ sections for MASQ accounting ideas and traffic shaping

Expanded the IPROUTE2 FAQ entry on what Policy-routing is.

Moved the IPROUTE2 URLs to the 2.2.x Kernel requirements section and also added
a few more URLs as well.

Corrected the "intnet" varible in the stronger IPCHAINS ruleset to reflect the
192.168.0.0 network to be consistent with the rest of the example. Thanks to
Ross Johnson for this one.

Added a new FAQ section for users asking about forwarding problems between
multiple internal MASQed LANs.

Added a new FAQ section about users wanting to PORTFW all ports from multiple
external IP addresses to internal ones. I also touched on users who were trying
to PORTFW all ports on multiple IP ALIASed interfaces and also noted the
Bridge+Firewall HOWTO for DSL and Cablemodem users who have multiple IPs in a
non-routed environment.

Added Redhat 7.0 to the MASQ supported distros. Thanks to Eugene Goldstein for
this one.

Fixed a mathematical error in the "Maximum Throughput" calculation in the FAQ
section. Thanks to Joe White @ ip255@msn.com for this one.

Fixed the Windows9x MTU changes to be a STRING change and not a DWORD change
to the registry. Thanks to jmoore@sober.com for this one.

Updated the comments in the 2.0.x rc.firewall script to note that the ip_defrag
option is for both 2.0 and 2.2 kernels. Thanks to pumilia@est.it for this
clarification.

Changes from 1.85 to 1.90 - 07/03/00

Updated the URL for TrinityOS to reflect its newest layout

Caught a typo in the IPCHAINS rulesets where I was setting "ip_ip_always_defrag"
instead of "ip_always_defrag"

The URL to Taro Fukunaga was invaild since it was using "mail:" instead of
"mailto:"

Added some clarification to the "Masqing multiple internal interfaces" where
some users didn't understand why eth0 was referenced multiple times.

Fixed another "space after the EXTIP variable" bug in the stronger IPCHAINS
section. I guess I missed one.

In Test #7 of Section 5, I referred users to go back to step #4. That should
have been step #6.

Updated the kernel versions that came with SuSe 5.2 and 6.0

Fixed a typo (or vs. of) in Section 7.2

Added Item #9 to the Testing MASQ section to refer users who are still haing
MASQ problems to read the MTU entry in the FAQ

Improved the itemization in Section 5

Updated the IPCHAINS syntax to show the MASQ/FORWARD table. Before, it was
valid to run "ipchains -F -L" but now only "ipchains -M -L" works.

Updated the LooseUDP documentation to reflect the new LooseUDP behavior in
2.2.16+ kernels. Before, it was always enabled, now, it defaults to OFF due
to a possible MASQed UDP port scanning vulnerability. I updated the BASIC and
SEMI-STRONG IPCHAINS rulesets to reflect this option.

Updated the recommended 2.2.x kernel to be 2.2.16+ since there is a TCP root
exploit vulnerability on all lesser versions.

Added Redhat 6.2 to the MASQ supported list

Updated the link for Sonny Parlin's FWCONFIG to point to fBuilder.

Updated the various examples of IP addresses from 111.222.333.444 to be
111.222.121.212 and within a valid IP address range

Updated the URL for the BETA H.323 MASQ module

Finally updated the MTU FAQ section to help out PPPoE DSL and Cablemodem users.
Basically, Section 7.15 now reflects the fact that users can
also change the MTU settings of all of their INTERNAL machines to solve the
dreaded MASQ MTU issue.

Added a clarification to the PORTFW section that PORTFWed connections which
work for EXTERNAL clients but will not work for INTERNAL clients. If you also
need INTERNAL portfw, you will need to also implement the REDIR tool as well.
I also noted that this issue is fixed in the 2.4.x kernels with Netfilter.

I also added a technical explanation from Juanjo to the end of the PORTFW
section to why this senario doesn't work properly.

Updated all of the IPCHAINS URLs to point to Paul Rusty's new site at
http://www.netfilter.org/ipchains/

Updated Paul Rustys email address

Added a new FAQ section for users whose connections remain idle for a long
period of time and PORTFWed connections no longer work.

Updated all the URLs to the LDP that pointed to metalab.unc.edu to the new
site of linuxdoc.org

Updated the Netfilter URLs to point to renamed HOWTOs, etc.

I also updated the status of the 2.4.x support to note that I *will* add full
Netfilter support to this HOWTO and if the time comes, then split that support
off into a different HOWTO.

Updated the 2.4.x Requirements section to reflect how NetFilter has changed
compared to IPFWADM and IPCHAINS and gave a PROs/CONs list of new features and
changes to old behaviors.

Added a TCP/IP math example to the "My MASQ connection is slow" FAQ entry to
better explain what a user should expect performance wise.

Updated the HOWTO to reflect that newer versions of the "pump" DHCP client now
can run scripts upon bringup, lease renew, etc.

Updated the PORTFWing of FTP to reflect that several users say they can
successfully forward FTP traffic to internal machines without the need of a
special ip_masq_ftp module. I have made the HOWTO reflect that users should
try it without the modified module first and then move to the patch if required.

Changes from 1.82 to 1.85 - 05/29/00

Ambrose Au's name has been taken off the title page as David Ranch has been
the primary maintainer for the HOWTO for over a year. Ambrose will still be
involved with the WWW site though.

Deleted a stray SPACE in section 6.4

Re-ordered the compatible MASQ'ed OS section and added instructions for
setting up a AS/400 system running on OS/400. Thanks to jaco@libero.it for
the notes.

Fixed an issue in the Stronger IPFWADM rule set where there were spaces between
"ppp_ip" and the "=".

In the kernel compiling section for 2.2.x kernels, I removed the reference to
enable "CONFIG_IP_ALWAYS_DEFRAG". This option was removed from the compiling
section and enabled by default with MASQ enabled in 2.2.12.

Because of the above change in the kernel behavior, I added the enabling of
ip_always_defrag to all the rc.firewall examples.

Updated the status of support for H.323. There are now ALPHA versions of
modules to support H.323 on both 2.0.x and 2.2.x kernels.

Added Debian v2.2 to the supported MASQ distributions list

Fixed a long standing issue where the section that covered explict filtering
of IP addresses for IPCHAINS had old IPFWADM syntax. I've also cleaned this
section up a little and made it understandable.

Doh! Added Juan Ciarlante's URL to the important MASQ resources section.
Man.. you guys need to make me more honest than this!!

Updated the HOWTO to reflect kernels 2.0.38 and 2.2.15

Reversed the order shown to compile kernels to show 2.2.x kernels first as
2.0.x is getting pretty old.

Updated the 2.2.x kernel compiling section to reflect the changed options
for the latter 2.2.x kernels.

Added a a possible solution for users that fail to get past MASQ test #5.

Changes from 1.81 to 1.82 - 01/22/00

Added a missing subsection for /proc/sys/net/ipv4/ip_dynaddr in the stronger
IPCHAINS ruleset. Section 6.5

Changed the IP Masq support for Debian 2.1 to YES

Reorganized and updated the "Masq is slow" FAQ section to include fixing
Ethernet speed and duplex issues.

Added a link to Donald Becker's MII utilities for Ethernet NIC cards

Added a missing ")" for the 2.2.x section (previously fixed it only for the
2.0.x version) to the ICQ portfw script and changed the evaluation from -lt
to -le

Added Caldera eServer v2.3 to the MASQ supported list

Added Mandrake 6.0, 6.1, 7.0 to the MASQ supported list

Added Slackware v7.0 to the MASQ supported list

Added Redhat 6.1 to the MASQ supported list

Added TurboLinux 4.0 Lite to the MASQ supported list

Added SuSe 6.3 to the MASQ supported list

Updated the recommended stable 2.2.x kernel to be anything newer than 2.2.11

In section 3.3, the HOWTO forgot how to tell the user how to load the
/etc/rc.d/rc.firewall upon each reboot. This has now been covered for Redhat
(and Redhat-based distros) and Slackware.

Added clarification in the Windows WFWG v3.x and NT setup sections why users
should NOT configure the DHCP, WINS, and Forwarding options.

Added a FAQ section on how to fix FTP problems with MASQed machines.

Fixed a typo in the Stronger firewall rulesets. The "extip" variabl cannot
have the SPACE between the variable name and the "=" sign. Thanks to
johnh@mdscomp.com for the sharp eye.

Updated the compatibly section: Mandrake 7.0 is based on 2.2.14 and TurboLinux
v6.0 runs 2.2.12

Changes from 1.80 to 1.81 - 01/09/00

Updated the ICQ section to reflect that the new ICQ Masq module supports file
transfer and real-time chat. The 2.0.x module still has those limitations.

Updated Steven E. Grevemeyer's email address. He is the maintainer of the
IP Masq Applications page.

Fixed a few lines that were missing the work AREN'T for the "setsockopt" errors.

Updated a error the strong IPCHAINS ruleset where it was using the variable
name "ppp_ip" instead of "extip".

Fixed a "." vs a "?" typo in section 3.3.1 in the DHCP comment section.

Added a missing ")" to the ICQ portfw script and changed the evaluation from
-lt to -le

Updated the Quake Module syntax to NOT use the "ports=" verbage

Changes from 1.79 to 1.80 - 12/26/99

Fixed a space typo when setting the "ppp_ip" address.

Fixed a typo in the simple IPCHAINS ruleset. "deny" to "DENY"

Updated the URLs for Bjorn's "modutils" for Linux

Added verbage about NetFilter and IPTables and gave URLs until it is added
to this HOWTO or a different HOWTO.

Updated the simple /etc/rc.d/rc.firewall examples to notify users about the
old Quake module bug.

Updated the STRONG IPCHAINS /etc/rc.d/rc.firewall to ADD a missing section on
dynamic IP addresses (PPP & DHCP) and the old Quake module bug.

Added a note in the "Applications that DO NOT work" section that there IS a
beta module for Microsoft NetMeeting (H.323 based) v2.x on 2.0.x kernels. There
is NO versions available for Netmeeting 3.x and/or 2.2.x kernels as of yet.

Changes from 1.78 to 1.79 - 10/21/99

Updated the HOWTO name to reflect that it isn't a MINI anymore!

Changes from 1.77 to 1.78 - 8/24/99

Fixed a typo in "Section 6.6 - Multiple Internal Networks" where the -a policy
was ommited.

Deleted the 2.2.x kernel configure option "Drop source routed frames" since it is now enabled by default and the kernel compile option was removed.

Updated the 2.2.x and all other IPCHAINS sections to notify users of the IPCHAINS fragmentation bug.

Updated all of the URLs pointing at Lee Nevo's old IP Masq Applications page
to Seg's new page.

Changes from 1.76 to 1.77 - 7/26/99

Fixed a typo in the Port fowarding section that used "ipmasqadm ipportfw -C"
instead of "ipmasqadm portfw -f"

Changes from 1.75 to 1.76 - 7/19/99

Updated the "ipfwadm: setsockopt failed: Protocol not available" message in the
FAQ to be clearer instead of making the user hunt for the answer in the Forwarders
section.

Fixed incorrect syntax in section 6.7 for IPMASQADM and "portfw"

Changes from 1.72 to 1.75 - 6/19/99

Fixed the quake module port setup order for the weak IPFWADM & IPCHAINS
ruleset and the strong IPFWADM ruleset as well.

Added a user report about port forwarding ICQ 4000 directly in and using ICQ's
default settings WITHOUT enabling the "Non-Sock" proxy setup.

Updated the URLs for the IPMASQADM tool

Added references to Taro Fukunaga, tarozax@earthlink.net for his MkLinux port
of the HOWTO

Updated the blurb about Sonny Parlin's FWCONFIG tool to note new IPCHAINS
support

Noted that Fred Vile's patch for portfw'ed FTP access is ONLY available for the
2.0.x kernels

Updated the 2.2.x kernel step with a few clarifications on the Experiemental tag

Added Glen Lamb's name to the credits for the LooseUDP patch

Added a clarification on installing the LooseUDP patch that it should use "cat"
for non-compressed patches.

Fixed a typo in the IPAUTO FAQ section

I had the DHCP client port numbers reversed for the IPFWADM and IPCHAINS
rulesets. The order I had was if your Linux server was a DHCP SERVER.

Added explict /sbin path to all weak and strong ruleset examples.

Made some clarifications in the strong IPFWADM section regarding Dynamic IP
addresses for PPP and DHCP users. I also noted that the strong rulesets should
be re-run when PPP comes up or when a DHCP lease is renewed.

Added references in the 2.2.x requirements, updated the ICQ FAQ section, and
added Andrew Deryabin to the credits section for his ICQ MASQ module.

Added some clarifcations to the FAQ section explaining why the 2.1.x and 2.2.x
kernels went to IPCHAINS.

Added a little FAQ section on Microsoft File/Print/Domain services (Samba)
through a MASQ server. I also added an URL to a Microsoft Knowledge based
document for more details.

Added clarifications to the FAQ section that NO Debian distribution supports IP
masq out of the box.

Updated the supported MASQ distributions in the FAQ section.

Added to the Aliased NIC section of the FAQ that you CANNOT masq out of an
aliased interface.

Wow.. never caught this before but the "ppp-ip" variable in the strong ruleset
section is an invalid variable name! It has been renamed to "ppp_ip"

In both the IPFWADM and IPCHAINS simple ruleset setup areas, I had a commented
out section on enabling DHCP traffic. Problem is, it was below the final
reject line! Doh! I moved both up a section.

In the simple IPCHAINS setup, the #d out line for DHCP users, I was using the
IPFWADM "-W" command instead of IPCHAINS's "-i" parameter.

Added a little blurb to the Forwarders section the resolution to the famous
"ipfwadm: setsockopt failed: Protocol not available" error. This also includes
a little /proc test to let users confirm if IPPORTFW is enabled in the kernel.
I also added this error to a FAQ section for simple searching.

1.70 - 3/30/99 - Dranch: Added two new FAQ sections that cover SMTP/POP-3
timeout problems and how to masquerade multiple internal networks out onto
different external IP addresses with IPROUTE2.

1.65 - 3/29/99 - Dranch: Typo fixes, clarifications of required 2.2.x kernel
options, added dynamic PPP IP address support to the strong firewall section,
additional quake II module ports, noted that the LooseUDP patch is built into
later 2.2.x kernels and its from Glenn Lamb and not Dan Kegel, added more game
info in the compatibility section.

1.62 - Dranch: Make the final first-draft changes to the doc and now announce
it in the MASQ email list.

1.61 - Dranch: Made editorial changes, cleaned things up and fixed some errors
in the Windows95 and NT setups.

1.58 - Dranch: Addition of the port forwarding sections; LooseUDP setup; Ident
servers for IRC users, how to read firewall logs, deleted the CuSeeme Mini-HOWTO
since it is rarely used.

1.55 - Dranch: Complete overhaul, feature and FAQ addition, and editing sweep
of the v1.50 HOWTO. Completed the 2.2.x kernel and IPCHAINS configurations.
Did a conversion from IPAUTOFW to IPPORTFW for the examples that applied.
Added many URLs to various other documentation and utility sites. There are so
many changes.. I hope everyone likes it. Final publishing of this new rev of
the HOWTO to the LDP project won't happen until the doc is looked over and
approved by the IP MASQ email list (then v2.00).

1.50 - Ambrose: A serious update to the HOWTO and the initial addition of the
2.2.0 and IPCHAINS configurations.

1.20 - Ambrose: One of the more recent HOWTO versions that solely dealt with
< 2.0.x kernels and IPFWADM.